atoti_query.security.oidc_security.OidcSecurity#

class atoti_query.security.oidc_security.OidcSecurity#

Manage OIDC security on the session.

Note

This requires an OidcConfig to be passed to atoti.Session.__init__()’s authentication parameter.

Example

>>> import os
>>> session = tt.Session(
...     authentication=tt.OidcConfig(
...         provider_id="auth0",
...         issuer_url=os.environ["AUTH0_ISSUER"],
...         client_id=os.environ["AUTH0_CLIENT_ID"],
...         client_secret=os.environ["AUTH0_CLIENT_SECRET"],
...         name_claim="email",
...         scopes={"email", "profile", "username"},
...         roles_claims={"https://activeviam.com/roles"},
...     ),
...     port=1234,
... )
>>> table = session.create_table(
...     "Restrictions example", types={"Country": tt.STRING}
... )
>>> session.security.restrictions.update(
...     {
...         "ROLE_FRANCE": table["Country"] == "France",
...         "ROLE_UK": table["Country"] == "UK",
...     }
... )

Roles from the authentication provider’s ID Token can be mapped to roles in the session:

>>> session.security.oidc.role_mapping.update(
...     {"atoti user": {"ROLE_USER"}, "France": {"ROLE_FRANCE"}}
... )
>>> session.security.oidc.role_mapping
{'atoti user': {'ROLE_USER'}, 'France': {'ROLE_FRANCE'}}

Default roles can be given to users who have been granted no individual and mapped roles:

>>> session.security.oidc.default_roles.add("ROLE_UK")
>>> session.security.oidc.default_roles
{'ROLE_UK'}

default_roles

role_mapping

The role mapping is done with the roles included in the ID Token sent by the authentication provider.